I am trying to debug a Firebase issue where for the same query I am receiving different responses.
The issue has been posted here
As I couldn't reproduce the issue in a separate example application.
I was was wondering if it would be possible to disable HTTPS encryption and access Firebase temporally on debug apps, using HTTP without transit encryption.
This would allow to compare the exact data sent and received by the different apps so that the issue could be addressed. Without encryption, Wireshark or similar tools could be used to compare traffic sent and received by different apps which always proves to be very useful in these kind of issues.
Thanks in advance.
There is no way to get content from/to your Firebase Database over an unencrypted connection.
To see the traffic between a client and the Firebase Database you can simply enable debug logging in your Android code:
FirebaseDatabase.getInstance().setLogLevel(Logger.Level.INFO)
See the Firebase reference documentation and this question: Debugging Firebase Database.
Related
I am new to firebase and I am doing for chat application.
In my firebase console, I can see raw data like this. Since it is private information, can I hide some info (or all)?
If I cannot hide, I have used encryption for "text". So, in my mobile device, I encrypt and decrypt. It is still okay. Problem is I cannot search/query text because it is already encrypted in server. How shall I do?
If I can just hide data in firebase console, I don't need to do encryption, etc already. Purpose is to prevent developer (like me) to see user data.
There is no way to hide certain data in the Firebase console. The only thing you can do is revoke the permission of the developer to see the database altogether.
Doing client-side encryption/decryption (also known as end-to-end encryption) is a common solution for your scenario. But that does mean that your searches will also need to search for encrypted values.
While this is a bit tricky, it is possible and has been done by developer before you in a similar situation. If you're having trouble making it work, post a question with the minimal code that reproduces where got stuck and we'll have a look.
We are working on a restricted Banking iOS/Android App and before integrating Fabric.io to our app we need to know what data will be sent to Fabric cloud
Our two main concerns are :
What is the data that will be sent to Fabric servers?
Is there a possibility that it can send any sensitive data like
accessKey/username/password etc.
Does it have access to all the codes in our app?
Mike from Fabric here. We collect just the minimum amount of data to provide you with high quality crash reporting. Many apps from the banking and financial industries use Crashlytics without any issue.
1) Take a look here where another individual has asked the question.
2) No, unless you choose to record this information using custom keys or logs. I strongly recommend never logging this information.
3) We do not have access to any source code. A dSYM on iOS or mapping file on Android is uploaded in order for us to map back from the un-symbolicated crash report to an accurate crash.
As you know, Fabric is an analytical tool that mainly sends crashes and events to its server. You can define events that you want to send. It doesn't access to your secret data
We are trying to whitelist an iOS/Android app that is built with Firebase. The goal is to identify the data that these apps use so that it will not count towards users' data usage.
In the simple scenario, just whitelisting the IP address of the Firebase database would be enough. However, I have spoken with Firebase support and they can't provide static IP addresses as they change often. The other option would be the domain name but that also can't work since the Firebase connection is established over HTTPS.
One last option is using the Server Name Indication, however Firebase responded indicating that it wouldn't be an option.
That leaves me no options so I wanted to turn to the Stackoverflow community to see if anyone was able to whitelist an Firebase app.
Thanks,
Guven.
I am looking for a way to encrypt the data sent with the crash from the app to the Fabric servers.
Checking the official documentation I didn't find a method or a property to enable a sort of encryption.
What are you worried about?
A hacker hijacking your network data? Well - all Crashlytics communication is done via SSL. If hackers perform a MITM attak on your app, then crash reports are the least of your problems.
Someone reverse-engineering your app? Well - they won't do it through your crash reports - that's for sure. Not when "decompiling" the Java bitcode straight from the APK is so much easier.
Your best approach here would be to obfuscate your code using Proguard.
Someone identifying a key component of your app through the crash log? Again - easier via the APK itself.
Someone you don't trust, from your organization, learning stuff about your app from the crash results? You shouldn't give untrusted people access to your Crashlytics data. And if you do - obfuscatre first.
So, IMHO, this is a non-issue.
You are asking "from the app to the fabric servers".
If you mean exactly that then you are already covered, already encrypted and safe over the networks:
From their docs and probably easy to verify:
"All server communication is completed over SSL using packed-binary file format"
I'm assuming they actually mean TSL.
If you however mean that the Fabric servers shouldn't be able to understand the data sent (sounds strange), I don't know.
If it shouldn't understand your proguard/dexguard obfuscation (stack traces etc) then don't allow it to get your obfuscation mapping files.
Is it possible for a device to send message to other devices using Google cloud messaging without an app server at all?
I have a centralized database using Google Cloud Datastore. The app will get required registration ids from the centralized database and the database is updated by all the devices. So, getting registration ids is not a problem.
Can this be done using upstream messaging? I am not sure because i have searched a lot but never saw an example where app server is not used for this purpose.
This question is not duplicate of another question, because here i have central database to store registration ids which is mentioned as a problem in another question.
In the most basic sense no, not at this time. You cannot send an upstream message from one device to another without an app server. You can create an app server on your device application but that is not recommended. The current recommendation would be to use an app server to facilitate your device to device messages.
To answer is it possible? Yes it is.
Sometime back I have created a POC to send GCM message to self, so I know its very much possible. I configured my GCM to work with any ip in developer console i.e. 0.0.0.0.
just use HTTP post to send your message from android as you would have done from Server.
Like (most) everything else, there is an API for that.
Google hosts its GCM service on GCM Connection Servers. The official document requires you to create an App Server to issue the API requests to the Connection Servers.
Alternatively you could setup the Connection Server to accept requests from any IP around the world, and then issue the requests via your client app. The API is here and it's quite simple.
Seurity issues
Bundling your API key with your app, and setting the Connection Server to unrestricted connections is an obvious major security issue.
Why bother?
Why bother doing all of this? Instead I would use a free service like Parse.com, which takes care of the users database and offers up to 1000000 messages a month free.
Has anyone actually done this. I would like to see example android project.